We have never given up on releasing The Interview and we’re excited our movie will be in a number of theaters on Christmas Day. At the same time, we are continuing our efforts to secure more platforms and more theaters so that this movie reaches the largest possible audience.

Now easily one of the most popular films in the U.S., hordes of people will see The Interview no matter where it’s released — after all, the forbidden fruit must be tasted. It would’ve been interesting had Sony taken advantage of this strange opportunity to release the film in a non-traditional way, but to some degree, Sony may still end up doing just that; a simultaneous online release is reportedly on the table.

Another week, another hacking scandal. At least, that’s what it’s starting to feel like, as more and more major companies fall victim to hackers.

This not only raises real questions about online security but also it makes us wonder about the effects on the hacked companies themselves. What happens to them — and their stock prices — when word of a security breach hits front page news?

Here are five of the biggest hacking scandals in recent years and accompanying financials to chew on:

Apple

Early this month, Apple came under scrutiny for a vulnerability in its iCloud service that resulted in the theft of private photos of several famous actresses. The problem appeared to be an issue with the Find My iPhone feature, which gave hackers from anonymous message board 4chan easy access to celebrity passwords … and thus a sampling of NSFW photos.

On the surface, it might seem an industry giant like Apple is impervious to such scandals, but that doesn’t appear to be the case. Apple’s stock price took quite a hit initially, dropping from $103 to $99 on September 3; it dropped another dollar by the close of that Thursday. What’s more, it was terrible timing for Apple, as it happened shortly before its September 9 iPhone 6 and Apple Watch announcement.

This might explain Tim Cook’s sudden willingness to speak with the Wall Street Journal to address concerns and reassure the public that the company is doing all it can to prevent leaks like this in the future. Late last week Apple’s stock price was on a slight uptick. Following the iPhone 6 announcement, it increased again and now sits at nearly $102.

Target

In late 2013, right around Thanksgiving, Target was hacked in a major way. A hacker installed malware on Target’s security and payments processing system that worked in a very straightforward way: Whenever someone swiped her card to make a purchase, the malware would wake up and capture the credit card number, putting people who did their Black Friday shopping at Target at risk.

Target first acknowledged the hack December 19, and its stock prices obviously suffered in the months to come. And the end of November, the retail chain was sitting at $64. By February 5, it had dropped all the way down to $55. It only just recently started to gain ground back into the $60+ territory.

Home Depot

Home Depot was hacked months ago, but we only just found out about it at the beginning of September. It now appears the hackers used the exact same malware as in the Target breach, because apparently these giant companies aren’t learning from other people’s mistakes. Reports now indicate the hack may have affected every single location in the U.S, which sort of makes me never want to shop anywhere again.

In any case, Home Depot saw a slight dip in its stock prices, which sat at $93 prior to the announcement of the breach and dropped to $89 by the following day.

News Corp

The News Corp hacking scandal made headlines for months. But in this case, unlike the others here, it was employees of News Corp. who were doing the hacking: Reporters used a variety of techniques to get in to voicemails and other personal data. While it was initially thought just celebrities and politicians were the targets of hacking conducted by News of the World employees, it turned out that victims of the 2005 London bombings and the relatives of deceased soldiers were also targeted. Many people took the company to court, too, and when all of the civil cases and the costs of the hacking itself are tallied up, it was estimated News Corp lost $1.62 billion.

Even though the public was generally appalled with News Corp at the time, the company only saw a slight dip in its stock price in mid-2011, when it dropped from $17 to $14 but quickly recovered.

Google (Operation Aurora)

The last hacking scandal we’ll look at happened back in 2009, when Google was the target of an advanced attack that originated in China. Dubbed Operation Aurora, the hacking resulted in Google’s intellectual property being stolen. Google first reported the hack in January 2010.

Around the time the hack was revealed to the public, Google sat at $300, but it quickly dropped. By the end of February, it had dropped to $263, and by July it dipped all the way down to $218 — the stock’s lowest price in the past five years.

While not every company on this list saw a significant drop in stock price following a hacking scandal, all saw at least a minor downward trend. With the big dogs getting hurt by hacking, it’s even more imperative for companies to bolster security, less they wish to incur losses. Rebounding isn’t always possible — because not every company is a Google.

]]>0How hacking scandals have hit Apple, Google, and others where it hurtsCyber soothsaying: Mobile malware will be a very real threathttp://venturebeat.com/2014/02/26/cyber-soothsaying-mobile-malware-will-be-a-very-real-threat/
http://venturebeat.com/2014/02/26/cyber-soothsaying-mobile-malware-will-be-a-very-real-threat/#commentsWed, 26 Feb 2014 13:30:05 +0000http://venturebeat.com/?p=986872Guest:Smartphones house our most precious secrets, and there are so many easy ways into them.
]]>GUEST:

This is a guest post by cybersecurity investor at Bessemer Venture Partners David Cowan

This week, the RSA Conference draws its annual pilgrimage of data security professionals seeking insights on market and technology trends.

As a seed-stage security investor in this industry, it has been my job to predict the future of cybersecurity, and so now’s a good time to share two important rules that have served me well:

Follow the money: What’s the most lucrative opportunity emerging for hackers today? Identify the hacker’s next big opportunity, and you know who will need to respond. This rule, for example, steered me toward spam in 2002 (Postini), online banking theft in 2004 (Cyota), geopolitical warfare in 2009 (Endgame) and DDoS attacks in 2013 (Defense.Net).

Where there’s a way, there’s a will: Physicists know that if a natural phenomenon can exist, then most likely it does. The cyber corollary is that vulnerabilities in the wild will be exploited. It’s only a matter of time. Poisoning the DNS, using the cloud to factor large numbers, and streaming smartphone microphones were all considered theoretical attacks — until they weren’t. Whenever we dismiss vulnerabilities as too difficult to exploit, hackers eventually humble us with their ingenuity.

Just this week, we’ve seen two important examples of this rule in action. The first is Apple’s confirmation of a glaring deficiency in their implementation of SSL that means we’ve been kidding ourselves about how secure the Mac and iPhone really are. The software engineers at Apple are mortal, and just as prone to the inevitable security lapses that plague any complex system.

The second example is a blog post by RSA about new malware on Android phones that coordinate with web based attacks to hijack banking sessions. I have been expecting this “innovation” since 2005, when I predicted that banks, plagued by the security shortcomings of passwords and biometrics, would adopt and embrace out-of-band authentication for any risky transaction:

That’s why solutions in the future will move away from 2-factor authentication and toward 2-channel authentication. Since your bank knows your phone numbers, a bank computer can simply call you when it needs to confirm your identity, and authorize the specific transaction (“This is Wells Fargo — please enter the code on your screen to authorize the transfer of $50,000 from your account to the account of the Boys and Girls Club of Belfast”). This is a very inexpensive and fast solution to deploy, and requires much less customer training. Not to mention that it’s secure (at least for many years, until hackers can easily identify and commandeer affiliated phone lines).

This prediction turned out well: 2-channel authentication has since become standard procedure for banks, application developers and consumers, thanks largely to three investments I made back then:

If you’re a bank…

Cyota (acquired by RSA) is the market leader in assessing your transactions for risk so they can be escalated for authentication;

If you’re a developer…

Bessemer Venture Partners’ portfolio company Twilio is the market leader in enabling apps to launch phone calls or SMS messages for out-of-band authentication (this may be Twilio’s single largest use case); and

If you’re an individual…

Another portfolio company Lifelock is in the Identity Theft market. It contacts you through multiple channels when the company spots a risky transaction involving your personally identifiable information.

However, as I parenthetically noted in 2005, it’s theoretically possible to “commandeer affiliated phone lines” in order to defeat two-channel authentication. This seemed like a pretty farfetched idea eight years ago, but sure enough where there’s a way there’s a will, and bank accounts are where the money is! So I wasn’t too surprised to hear from RSA that hackers now intercept your SMS messages and phone calls in order to defeat the banks’ security mechanism.

To quote cryptography expert Bruce Schneier: “Mobile is the new platform. Mobile is a very intimate platform. It’s where the attackers are going to go.”

This is why I funded Mojave Networks, which is building a cloud-based smartphone security service that filters out mobile malware during both download and execution, as well as providing URL filtering, data leak prevention, and enterprise cloud app visibility.

At the time I invested, many people warned me that mobile malware is simply not a big concern. But see Rules 1 and 2 above! Smartphones house our most precious secrets, and there are so many easy ways into them. I’m predicting that enterprises and governments will quickly understand this, and scramble to secure their employees’ phones just as they do their (larger) computers.

If you want to join me in predicting the future of cyberspace, look for the money chasing hackers, and pay more heed this week at RSA to the warnings of security gurus, since no vulnerability is too hard to exploit. Where there’s a way, there’s a will.

]]>0Cyber soothsaying: Mobile malware will be a very real threat100 top computer science students flock to S.F. for hacker Olympics (exclusive)http://venturebeat.com/2013/08/30/100-top-computer-science-students-flock-to-sf-for-hacker-olympics-exclusive/
http://venturebeat.com/2013/08/30/100-top-computer-science-students-flock-to-sf-for-hacker-olympics-exclusive/#commentsFri, 30 Aug 2013 18:05:02 +0000http://venturebeat.com/?p=805777ReadyForce and SignalFire are co-hosting the second University Hacker Olympics from September 13-15 in what they claim is "the most epic university hackathon ever."
]]>

ReadyForce and SignalFire cohost the second UHO from Sept. 13-Sept. 15 in what they claim is “the most epic university hackathon ever.”

Computer science students from 35 of the U.S.’s top engineering schools competed in a series of regional code challenges over the course of the year. The top students then filled out profiles detailing their technical accomplishments, and two to three students from each school were selected by a group of venture capitalists and chief technology officers.

“This is a very elite group of students,” said the event’s organizer Ahmed Siddiqui in an interview with VentureBeat. “You can’t buy your way in here; you have to be preselected. The aim is to identify the best talent and get them together with tech companies that want access to these students. They get exposed to real startups and awesome technology, and it could make a significant impact on their career.”

The ideas for the hackathon are chosen in advance by attending companies and are pitched to students on the first day of the competition. (The students decide which team they want to join). They will hack alongside engineers for 24 hours. Ultimately, one team will win, but the Ahmed said the real value is the “synergy” that happens by putting young, optimistic students together with more experienced engineers.

Sixty-six of the students have interned at top technology companies, and the average student already has three job offers — even those that are years away from graduating. Recruiting developer talent is highly competitive and a significant challenge for many tech companies, and the top students are in high-demand. Ahmed said that while this is “not a subset of students hurting for jobs,” many of them are not exposed to companies that don’t have armies of recruiters and campus ambassadors. Startups aren’t able to send people searching for talented engineers, and the University Hacker Olympics brings the talent to them.

SignalFire is a stealthy startup that is developing a network of “next generation founders and core engineers” through “exclusive experiential events. ReadyForce is a platform that brings top engineering students together with fast-growing startups. It embarked on a cross country bus trip on behalf of 150 technology companies to find talent last year and is beginning the second one again soon.

Apple’s developer website is still down this morning after being inaccessible for long periods last week and being completely shut down by Apple yesterday afternoon due to a successful hacking attack that penetrated Apple systems and may have leaked some developers’ names, addresses, and email addresses.

The company said that it was “completely overhauling our developer systems, updating our server software,” to prevent similar threats in the future. That includes an entire database rebuild, the company said.

There is currently no timeline on the restoration of Apple developer services — unless you count “soon.”

Above: Even the Apple developer forums are down right now

Image Credit: John Koetsier

One small piece of good news, I suppose, is that if your developer ID was set to expire during this period of downtime, Apple will be extending your developer account membership — and, yes, your app will remain live on the site.

If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store. If you have any other concerns about your account, please contact us.

Apple has easily a million developers, many of them independents, and more than 300 million iCloud/iTunes accounts. Many of those accounts overlap, as Apple requires that indie developers use their Apple ID for access to the developer sections and app store upload areas of its sites. That’s the same Apple ID that developers would use for their individual app store purchases, iCloud backups, and Apple device syncing.

So it pays for Apple to be safe.

I’ve asked Apple for further comment on the breach and its subsequent steps and will update this post with any substantially new information.

Updated with new information on what Google is doing to combat the threat – July 5

Mobile security company Bluebox said today that it recently discovered a vulnerability in Android that makes any Android device released in the last four years vulnerable to hackers who can read your data, get your passwords, and control any function of your phone, including sending texts, making phone calls, or turning on the camera.

“A Trojan application … has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords,” Bluebox CTO Jeff Forristal posted. “It can essentially take over the normal functioning of the phone and control any function.”

Above: Bluebox modifed an Android device manufacturer’s application to obtain access to all permissions on the device.

Image Credit: BlueBox

The vulnerability is due to “discrepancies” in how Android apps are approved and verified, Bluebox says, allowing hackers to tamper with application code without changing the app’s cryptographic signatures. That means that an app — any app — that looks perfectly safe and legitimate to an app store, a device, an engineer, or a user actually could actually have malicious code embedded within it.

Forristal said the details of the bug were disclosed to Google back in February and that Google has “notified their device partners.”

The problem, however, is that because of Android’s fragmented nature and the fact that device manufacturers and mobile carriers release Android updates sporadically if at all, many Android devices are not running the latest software and cannot be easily user-updated.

Forristal puts it diplomatically:

“The availability of these updates will widely vary depending upon the manufacturer and model in question.”

If an attacker successfully gains control of an Android device — and Bluebox will be revealing technical details of the vulnerability at hacker conference Black Hat USA 2013 in late July — the hacker essentially gains control of all permissions on the phone or tablet.

That’s a disaster for users, because many Android users, particularly those in Asian and Eastern countries, use the 500+ independent Android app stores that have little or no authentication or verification procedures to ensure passing through their services are legit, forming a perfect opportunity for unscrupulous and technically-inclined thieves and spies to gain control of your phone.

I asked Google for comment and received a this terse response from a Google representative:

We aren’t commenting.

I’m not sure exactly how to interpret that, but I suspect that Google wants this to get as little press as possible while the company scrambles to get as many Android devices updated as possible before the end of July. A source who cannot be identified, however, did say that Google fixed the vulnerability in February and sent the patch to its partners at the beginning of March.

That’s a challenge, because many carriers have installed franken-versions of Android on devices sold two or three years ago with custom user interfaces and crapware pre-installed apps, and may not be able to turn out new, updated versions of their customized Android version quickly … or have a way to distribute them economically.

Users who are unsure of their phone’s update status or who are unable to update should be extremely cautious when installing apps, Bluebox says, and be sure to identify the publisher of the app before installing it. In addition, it’s a good idea to only install apps from Google Play, where Google has the ability to verify and validate apps.

VentureBeat has discovered that Google has added checks in Google Play which will guard against this type of attack, which means Google Play should be safe. An open question, however, is whether Google is offering the technology that can check for compromised apps to other, unauthorized Android app stores.

That’s important, because in some countries such as Korea, sources tell me that Google Play is not in wide use.

That’s why getting the latest Android updates from a trusted source is critical.

“People should look to upgrade their Android devices and inquire with their device manufacturer to see if they are tackling this issue,” Forristal told me via email. “Enterprises need to invest in comprehensive mobile security solutions that protect the integrity of their data against these kind of vulnerabilities.”

Above: You can use Google Play to verify app security

Image Credit: Google

I have learned that OEMs — phone manufacturers — and carrier partners were given the patch in March, basically as soon as Google had it for Google Play. But third-party Android app stores and their users are likely still at risk … as would be any user who installs Android apps they download privately or access from an email.

One thing you can do to ensure you are safe, regardless of which app store you frequent, is to use Google Play as an application verification tool regardless of where you’ve downloaded your apps. To do that, simply go to apps menu and tap Google Settings > Verify apps, or, in Android 4.2 and higher, go to Settings > Security > Verify apps.

Android users should never download apps from a third-party app store, apparently. But you should also take Chicken Little reports with a grain of salt.

A staggering 267,259 mobile apps are triggering SMS trojans, exploiting security holes, stealing private data, and building botnets, according to a study released today by network security firm Juniper. Ninety-two percent of them are Android-based, and most of those are due to over 500 Android app stores globally that are known to be hosting mobile malware.

“We anticipate that similar to the evolution of PC-based threats, mobile attacks will continue to increase and become more sophisticated in the coming years,” Juniper mobile threat center director Troy Vennon said in a statement.

Juniper’s Mobile Threats Report analyzed 1.85 million mobile apps, up a third from February 2012, to find malware and vulnerabilities. According to the report overall mobile malware is skyrocketing — up 614 percent in a single year across all platforms — but Juniper says that Android is where the real challenges lie.

Why?

Android is the target of choice of thousands of malware authors simply due to the hundreds of non-Google app stores that offer almost no oversight and therefore enable easy distribution, and due to the continuing fragmentation of the Android ecosystem, which leaves users of earlier, less-secure versions of Android vulnerable. A third contributing factor is the fact that more apps asking for more private data.

There are big dollars to be made in getting your shady app installed.

Juniper says that 73 percent of all known malware are FakeInstallers or SMS Trojans. These apps look like legitimate apps from known sources, but they’ve actually been cracked and infected. When installed, they’ll send text messages to premium-rate numbers, harvesting a nice $10 payday for their authors, on average.

But perhaps the biggest reason Android is being targeted is its sheer success.

While Google Play is probably one of the safest places to get Android apps, other well-known and credible app stores such as Amazon’s would also be safe. The problem is the 500-plus unknown stores that are allowing malware to thrive.

Most of those, Juniper said, are based in either Russia or China.

It’s worth taking results like these with at least one grain of salt. Juniper sells mobile security solutions, so the company has an opportunity to benefit if the mobile security situation appears grim. That doesn’t mean the company could be falsifying data, just that it’s not always clear what the definitions of malware are in every study.

For instance, Juniper is including apps that a sketchy on privacy — such as tracking your location — that are not necessarily malware.

It’s not immediately clear how many of the 276,259 total malicious apps that Juniper found fall into this bucket.

]]>0254,158 Android apps are ‘malicious’ as mobile malware skyrockets 614%, Juniper saysThis tiny Raspberry Pi Trojan horse could be a cute little backdoor into your corporate networkhttp://venturebeat.com/2013/06/17/this-tiny-raspberry-pi-trojan-horse-could-be-a-cute-little-backdoor-into-your-corporate-network/
http://venturebeat.com/2013/06/17/this-tiny-raspberry-pi-trojan-horse-could-be-a-cute-little-backdoor-into-your-corporate-network/#commentsMon, 17 Jun 2013 21:25:10 +0000http://venturebeat.com/?p=760124You gotta love security geeks -- they can make it so easy for you. At least, if you're a black hat hacker.
]]>
You gotta love security geeks — they can make it so easy for you. At least, if you’re a black-hat hacker.

Network security engineer “Richee” posted complete details about how to make a tiny Raspberry Pi computer look like a ordinary laptop power brick — and then give himself a physical backdoor into corporate networks.

Technically, the job is laughably easy.

The Pi is a tiny computer that could fit in the palm of your hand. But it’s got a 700 MHz processor, a half a gigabyte of RAM, and runs a custom version of Linux. It also has HDMI and USB ports and — critically — Ethernet. Kids, geeks, white-hat hackers, and case-modders buy the cheap $25-$35 computer and build beautiful cases for it, install apps from the Pi Store, and craft robotic bartenders with it.

With a little soldering and gluing, Richee fit the tiny Pi into an old power brick, hooked up a black Ethernet cord, and jimmied up a power supply out of a plug and a USB converter. Voila: an inconspicuous ET-phone-home hacker’s best friend.

Of course, the software is the critical part.

With a few lines of code, Richee built a little script that will phone home to his designated server over SSH (secure shell). Once the Pi phones home, he’s got an insider’s access to the network it’s on.

Of course, Richee doesn’t have nefarious intent — it’s simply a tool for remote support. In the wrong hands, however, it could go unnoticed for weeks, if companies have lax security oversight, and offer very tempting access to ostensibly-secure data.

There is one problem, of course: Laptop power bricks don’t normally have Ethernet cords hanging from them. Richee has a solution for that:

It looks weird when you stare at it, but put it behind a plant and nobody will ever notice it (except the guy who waters the plants).

And the guy who waters the plants is unlikely to know to much about network security.

This is how you know you’re not at an Apple conference. At Google I/O today, Google’s holding a session on voiding your Google Glass warranty.

Voiding your warranty, apparently, is as simple as running five short commands. To run those, however, you need a higher-resolution way of communicating with your Google Glass device than the touch-sensitive screen on your specs.

“Fortunately, this is an Android device, and like most Android devices, it has a Bluetooth chip,” Google engineer P.Y. Laligand said today at the chat on hacking Glass.

Above: Glass is just Android, underneath.

Image Credit: Google

So he simply turned on Bluetooth, paired an external keyboard, opened up a terminal window, and typed five commands in ADB, or Android Debug Bridge:

$ adb root: (Finally, you have root access and access to all the data partitions)

These are not steps to be taken lightly, according to Google engineer Hyunyoung Song.

“Even though there are recovery methods, there is a chance that you could get stuck in a state from which it’s not easy for your device to be recovered,” she said. “And Google will not support you.”

Google Glass owners who have taken the lives of their $1,500 Google Glass Explorer Edition devices in their hands and bravely gone where few dare, however, have done some exceptionally cool things. One has installed standard Ubuntu Linux on Glass and now programs on Glass using Emacs, a text editor. Another has created an avatar that mimics your head motion, bobbing around just as you do while talking and gesturing.

Above: Danger, Will Robinson! Voiding warranty now!

Image Credit: Google

And Google — while not supporting you if you brick your device — encourages developers to play around in root mode, hacking new apps and experiences which can be then brought into the Google Glass ecosystem.

“Now you’re in root mode,” Song said. “Play around and go nuts with whatever you want to do.”

For the faint of heart, there will be a safety net at some point. Google will be releasing the standard Glass system images, which can be used to recover bricked devices.

]]>1How to hack Google Glass, void your warranty, and brick your new $1,500 augmented-reality specs‘Biggest ever’ Internet attack is indeed huge, but it isn’t globalhttp://venturebeat.com/2013/03/27/biggest-ever-internet-attack-is-indeed-huge-but-not-global/
http://venturebeat.com/2013/03/27/biggest-ever-internet-attack-is-indeed-huge-but-not-global/#commentsWed, 27 Mar 2013 17:11:17 +0000http://venturebeat.com/?p=706394Have you noticed that the global internet is slowing down as it experiences its "biggest-ever" attack by hackers flooding the web via distributed denial of service attacks (DDOS)?
]]>Have you noticed that the global Internet is slowing down as it experiences its “biggest-ever” attack by hackers flooding the web via distributed denial of service attacks (DDOS)?

Me neither.

That hasn’t stopped the BBC from claiming “Global Internet slows after biggest attack in history,” or the UK’s Independent from saying that “Internet services across the world have been disrupted” with “millions of web users” not able to access service like Netflix.

According to the Internet Traffic Report, everything’s fairly copacetic. Response time has been pretty steady for the past 30 days, with no discernible dip in the past week, and packet loss globally has remained steady at almost zero:

A quick check of InternetPulse shows that the U.S. Internet is all healthy, with sub-90-second latency in response times across the board today:

It’s not until we check Akamai’s global real-time web monitor that we see what the problem is: congestion is up in two general areas. Those would be the UK — where the BBC lives — and Germany/Netherlands, where a local fight is on between a controversial hosting provider, Cyberbunker, and a spam-fighting filter service, Spamhaus.

Essentially, it appears that Spamhaus blacklisted Cyberbunker for allegedly distributing spam, and friends of Cyberbunker then attacked Spamhaus’ servers with up to 300 gigabytes/second of data. That’s an enormous amount of data, and it constitutes the biggest-ever DDOS attack. It’s clogging the interweb’s tubes in at least a few places but not, apparently, all over the world.

Little hint to the BBC and others: Western Europe is not the world.

]]>1‘Biggest ever’ Internet attack is indeed huge, but it isn’t globalResearch team claims EA’s Origin has security flaw that exposes millions of usershttp://venturebeat.com/2013/03/19/research-team-claims-eas-origin-has-security-flaw-that-exposes-millions-of-users/
http://venturebeat.com/2013/03/19/research-team-claims-eas-origin-has-security-flaw-that-exposes-millions-of-users/#commentsTue, 19 Mar 2013 17:37:57 +0000http://venturebeat.com/?p=702136Millions of people use EA's Origin service to play SimCity, Battlefield 3, and more. Security firm ReVuln claims they are vulnerable to attack from hackers.
]]>Gaming execs:Join 180 select leaders from King, Glu, Rovio, Unity, Facebook, and more to plan your path to global domination in 2015. GamesBeat Summit is invite-only -- apply here. Ticket prices increase on March 6 Pacific!

It’s time to add another issue to the list of what’s ailing publisher Electronic Arts. The company’s chief executive officer announced yesterday that he is stepping down, and it is still reeling from a public-relations snafu with the recently launched city-builder SimCity. Now, a security research firm revealed that members of EA’s digital-download service are vulnerable to attack from hackers.

A fatal flaw in EA’s Origin service may enable hackers to remotely execute software on a target’s Mac or PC, according to Malta-based security researchers ReVuln (via Time’s Techland blog). ReVuln published a paper earlier this month that explains the vulnerability in detail.

“Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure,” Origin spokesperson John Reseburg told GamesBeat.

The hack only takes seconds. It works by exploiting an “Origin://link” uniform resource identifier (URI), which publishers utilize to enable browsers to open and control actions on the Origin platform. Origin’s links follow a particular pattern. Hackers can mess around with that pattern to make the URI execute different commands. One of those commands could be bringing up a box that asks a user to download an application. They might trust that application because they’re on their trusted Origin site and click yes. The malware will then install, and the hacker will effectively “own” the system.

“Using games as an attack vector is pretty difficult to spot,” ReVuln security researcher Donato Ferrante told GamesBeat. “One of the reasons is that most people underestimate games as a possible way for attackers to compromise their systems.”

ReVuln released a proof of concept of the hack, which you can see in the video embedded into ReVuln’s Tweet:

The security firm suggests that users set their browsers to pop up with a prompt when attempting to open a game in Origin or in Steam. More security-conscious users can install a tool like URIprotocolview to disable the “Origin://” URI.

VentureBeat security reporter Meghan Kelly contributed to this report

]]>0Research team claims EA’s Origin has security flaw that exposes millions of usersAndrew Auernheimer: 41 months of jail and a $73,000 fine for querying AT&T servershttp://venturebeat.com/2013/03/18/andrew-auernheimer-41-months-of-jail-and-a-73000-fine-for-querying-att-servers/
http://venturebeat.com/2013/03/18/andrew-auernheimer-41-months-of-jail-and-a-73000-fine-for-querying-att-servers/#commentsMon, 18 Mar 2013 17:06:35 +0000http://venturebeat.com/?p=696414"It looks like Andew got slammed into a desk by federal agents while trying to hand his phone to his lawyer after the court asked for his phone," his publicist told me via email.
]]>Controversial hacker, troller, and Internet prankster Andrew Auernheimer has been sentenced to 41 months in jail and ordered to pay a $73,000 fine to AT&T for connecting to an unsecured database and collecting a list of the company’s iPad subscribers.

BREAKING: Weev sentenced to 41 months followed by three years of supervised release.

Just moments before sentencing, Auernheimer (also known as Weev), was cuffed by court officers in a struggle over his tablet and phone. Auernheimer, who was not permitted to use computers with keyboards, was asked to surrender his devices, but tried to hand them to his lawyer.

“It looks like Andew got slammed into a desk by federal agents while trying to hand his phone to his lawyer after the court asked for his phone,” his publicist told me via email.

Auernheimer is, by all accounts, a controversial figure, which became abundantly clear in a Reddit AMA (ask me anything) conducted yesterday.

He’s a founder of GNAA (Gay N*iggers Association of America), a group that probably has no actual gay or black members and seems, much as many other online trolling groups, to be devoted to causing as much online damage and destruction as possible. He’s also a member of Goatse Security, a grey-hat organization that focuses on finding and exploiting computer and website vulnerabilities. And he has done things online that most of us would consider morally reprehensible and ugly, if not precisely illegal, such as taking a leading role in the massive online harassment that caused usability expert Kathy Sierra to abandon the Internet.

The charges were based on the same law that federal prosecutors used against Matthew Keys, Aaron Swartz, and Stephen Watt: the Computer Fraud and Abuse Act, which opponents have decried as vague and Swartz’s lawyers have said was misused by federal prosecutors to overly-aggressively pursue Swartz, who ended up committing suicide.

]]>1Andrew Auernheimer: 41 months of jail and a $73,000 fine for querying AT&T serversTerrorist, hacker, freedom fighter: Andrew Auernheimer parties tonight in expectation of jail tomorrowhttp://venturebeat.com/2013/03/17/terrorist-hacker-freedom-fighter-andrew-auernheimer-parties-tonight-in-expectation-of-jail-tomorrow/
http://venturebeat.com/2013/03/17/terrorist-hacker-freedom-fighter-andrew-auernheimer-parties-tonight-in-expectation-of-jail-tomorrow/#commentsSun, 17 Mar 2013 20:29:18 +0000http://venturebeat.com/?p=696177"It's a f*cking ludicrous charge," Auernheimer told me this morning from New Jersey. "The FBI has tried to frame me for terrorism five times, and by their own admission they've been surveilling me since I was 15 years old."
]]>Gaming execs:Join 180 select leaders from King, Glu, Rovio, Unity, Facebook, and more to plan your path to global domination in 2015. GamesBeat Summit is invite-only -- apply here. Ticket prices increase on March 6 Pacific!

In June of 2010, Andrew Auernheimer created a small computer program that connected to a publicly accessible, unsecured AT&T database of iPad subscribers. In November of 2012, he was found guilty of violating the Computer Fraud and Abuse Act (CFAA) and identify theft.

Tomorrow, he’s likely going to jail.

“It’s a fucking ludicrous charge,” Auernheimer told me this morning from New Jersey. “The FBI has tried to frame me for terrorism five times, and by their own admission they’ve been surveilling me since I was 15 years old.”

But tomorrow he expects to go to jail. In preparation, he and supporters have rented a 10,000 square foot hall where they’ll party the night away in perhaps his last taste of freedom for 10 years.

If he does go to jail, it’ll be the latest chapter in a long list of federal prosecutions of computer “crimes” by hackers who are forcing mainstream society to reconsider what freedom of speech means online, what is an appropriate response to a corporation’s poor security, and what kinds of access constitute crimes. That list includes Aaron Swartz, who committed suicide after what many have said was DOJ misconduct.

The story starts with a boneheaded AT&T decision.

During the summer of 2010, Auernheimer and co-defendant Danile Spitler discovered that by querying AT&T’s iPad servers with a string of numbers that matched subscribers’ SIM card identifiers, AT&T’s servers would send back the unencrypted, unprotected email address of the AT&T customer, the iPad owner. AT&T had a massive security design flaw, which, as it admitted in Auernheimer’s one-week trial, was intentional: for subscriber convenience. After running the script to capture 114,000 email addresses of AT&T iPad subscribers, Auernheimer sent a list of the email addresses to Gawker to highlight the security hole. Gawker then printed them in redacted form.

“If you buy an Apple product, you have a right to know that Apple partners could compromise your privacy,” Auernheimer told me, explaining why he sent the email addresses. “And that they take six months to patch security issues.”

So there’s obviously a security issue. And there’s obviously a privacy issue. But where’s the crime?

“We sent Get requests to a public API,” Auernheimer says. “They charged me with unauthorized access to a computerized device … and identity theft, which is a possession charge … if you walk down a street and write down physical addresses, you’re stealing identifiers, and you’re an identify thief.”

You could be charged with unauthorized access to a computerized device, for instance, simply because you clicked on the link that brought you to this article. Oh, and Google, one of the most successful corporations in the world, is the root of all evil. A Get request is simply a note from a browser computer code asking for a resource. You issue thousands of them every day all by yourself. Google issues billions.

Whether the receiving server responds to that request in any way, shape, or form is entirely at the discretion of the developers and system administrators who control that server.

The CFAA does not define the phrase “unauthorized access,” so according to Auernheimer, the government essentially told the jury that his access to the server was unauthorized because they said it was. Which, if true, means that whether you commit a legal act or an illegal act is at the discretion of anyone who runs a webserver, who can change their mind at any time without you knowing.

Good luck following the straight and narrow.

After a one-week trial, a jury found Auernheimer guilty on November 20 after just a few hours of debate. Auernheimer told me that his friend overheard “vicious arguing and screaming” in the jury room, so there was some serious debate, but there was a potential reason to be fast, and maybe even hasty.

“The trial was right before Thanksgiving … I think people wanted to get the hell out of there and get to Thanksgiving,” Auernheimer said.

Tonight he’s awaiting sentencing, which could be up to 10 years in jail and up to $500,000 in fines. And he’s not too hopeful that the judge will go easy on him.

“I’m probably going to prison, and they may take me into custody immediately,” Auernheimer told me. “But I have an excellent chance on appeal … any sane examination of the CFAA at this point is going to realize that it criminalizes all web access.”

]]>0Terrorist, hacker, freedom fighter: Andrew Auernheimer parties tonight in expectation of jail tomorrowProfile of a cyber criminal (infographic)http://venturebeat.com/2013/02/22/profile-of-a-cyber-criminal-infographic/
http://venturebeat.com/2013/02/22/profile-of-a-cyber-criminal-infographic/#commentsFri, 22 Feb 2013 16:28:46 +0000http://venturebeat.com/?p=626905Yesterday, Zendesk was hacked and the personal information of an unknown number of Twitter, Pinterest, and Tumblr users was stolen. Last year, 12.6 million U.S adults were the victims of identity fraud.
]]>Yesterday, Zendesk was hacked and the personal information of an unknown number of Twitter, Pinterest, and Tumblr users was stolen. Last year, 12.6 million U.S adults were the victims of identity fraud.

Who’s committing these crimes?

Most of them are between 29 and 49 years old, and three-quarters are male. They work in organized groups, half of which have six or more members. And they live all over the world, but especially in Asia, notably China and Indonesia.

That’s according to online payments company Jumio — one of the companies that Facebook founder Eduardo Saverin has invested in. Jumio has put together an infographic highlighting who is attacking companies and people.

To do what they do, cyber criminals need access to the interwebs. That means Internet service providers and website hosting providers are critical, and most of the ones criminals work through are based in Russia and China.

This won’t make victims of identify theft, hacking, or online fraud feel any better, but only 0.0019 percent of cybercrimes in the U.S. in 2010 were tried in court and saw the hackers convicted.

Here’s all the data, in visual form:

Image credits: Jumio

]]>0Profile of a cyber criminal (infographic)Zendesk hacked: Twitter, Pinterest, and Tumblr users were affectedhttp://venturebeat.com/2013/02/22/zendesk-hacked-twitter-pinterest-and-tumblr-users-were-affected/
http://venturebeat.com/2013/02/22/zendesk-hacked-twitter-pinterest-and-tumblr-users-were-affected/#commentsFri, 22 Feb 2013 08:25:52 +0000http://venturebeat.com/?p=626814A security breach at cloud-based customer support vendor Zendesk has exposed personal information including email addresses of Twitter, Pinterest, and Tumblr clients, the company said today in a blog post.
]]>A security breach at cloud-based customer support vendor Zendesk has exposed personal information including email addresses of Twitter, Pinterest, and Tumblr users, the company said today in a blog post.

We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.

Zendesk manages backoffice features like customer support and help desk operations via a cloud service it delivers to hundreds of clients serving over 65 million people, the company says on its website. Only Twitter, Pinterest, and Tumblr clients were affected, the company says, but those sites comprise literally hundreds of millions of users.

Since most end users never touch Zendesk directly, most users’ first awareness that there might be a problem with their personal informtion will come via an email from one of the affected services. I received an email from Tumblr this evening at 11:05PM PST, saying that my information may have been exposed.

Assuming Zendesk knows exactly how deep the penetration went, there is probably not a lot to worry about. The attackers gained access to email addresses and the subject lines of support emails, but there’s no indication they accessed any passwords or other data.

In other words: don’t panic.

Here’s the email that Tumblr sent out to affected users:

Important information regarding your security and privacy

For the last 2.5 years, we’ve used a popular service called Zendesk to store, organize, and answer emails to Tumblr Support. We’ve learned that a security breach at Zendesk has affected Tumblr and two other companies. We are sending this notification to all email addresses that we believe may have been affected by this breach.

This has potentially exposed records of subject lines and, in some cases, email addresses of messages sent to Tumblr Support. While much of this information is innocuous, please take some time today to consider the following:

The subject lines of your emails to Tumblr Support may have included the address of your blog which could potentially allow your blog to be unwillingly associated with your email address.

Tumblr will never ask you for your password by email. Emails are easy to fake, and you should be suspicious of unexpected emails you receive.

Your safety is our highest priority. We’re working with law enforcement and Zendesk to better understand this attack. Please monitor your email and Tumblr accounts for suspicious behavior, and notify us immediately if you have any concerns.

]]>1Zendesk hacked: Twitter, Pinterest, and Tumblr users were affectedAmazon is back up and running after extended outagehttp://venturebeat.com/2013/01/31/amazon-is-back-up-and-running-after-extended-outage/
http://venturebeat.com/2013/01/31/amazon-is-back-up-and-running-after-extended-outage/#commentsThu, 31 Jan 2013 20:44:20 +0000http://venturebeat.com/?p=614588Amazon's homepage went down for 51 minutes this afternoon in a highly unusual outage.
]]>Gaming execs:Join 180 select leaders from King, Glu, Rovio, Unity, Facebook, and more to plan your path to global domination in 2015. GamesBeat Summit is invite-only -- apply here. Ticket prices increase on March 6 Pacific!

Amazon’s homepage went down for about 51 minutes this afternoon in an highly unusual outage. Visitors to the site received an ‘Http/1.1 Service Unavailable’ message, although Amazon Web Services was still up and running. This is the most significant outage Amazon has experienced in years. A group of hackers called the NaziGods are claiming responsibility on Twitter, however sources with knowledge of the event deny that it was related to any outside group.

Estimates put Amazon’s sales-per-minute at over $100,000.

We have reached out to the company for comment and are waiting for a response. In the meantime, you may continue buying panini-makers and Kindles in peace.

]]>0Amazon is back up and running after extended outageRubyGems.org hacked, interrupting Heroku services and putting sites using Rails at riskhttp://venturebeat.com/2013/01/30/rubygems-org-hacked-interrupting-heroku-services-and-putting-millions-of-sites-using-rails-at-risk/
http://venturebeat.com/2013/01/30/rubygems-org-hacked-interrupting-heroku-services-and-putting-millions-of-sites-using-rails-at-risk/#commentsThu, 31 Jan 2013 04:49:31 +0000http://venturebeat.com/?p=614094"It's a critical part of the Ruby infrastructure," the programmer said. "Everything depends on RubyGems."
]]>Ruby package distributor RubyGems.org was hacked today, disrupting web developers globally and causing service shutdowns at popular hosting service Heroku.

“There was a vulnerability with RubyGems.org, which allowed someone to execute code on the server,” a Ruby programmer I talked to said. “RubyGems is a big target, because if you could break in and change a Rails gem, you could gain access to a lot of servers.”

Popular sites such as Twitter, Groupon, Airbnb, and Hulu are built using Ruby on Rails, a framework built in the Ruby programming language. Ruby gems are packages of code that allow developers to distribute programs or libraries, and RubyGems.org is the central means the Ruby community has to publish and distribute those gems. Essentially, if a black hat hacker can corrupt those gems, he or she could potentially gain control of thousands, if not millions of sites around the world that run Ruby on Rails.

Above: The exploit itself

Image Credit: https://gist.github.com/3e4829f79dbd1be11295

“RubyGems is a critical part of the Ruby infrastructure,” the programmer said. “Everything depends on RubyGems.”

RubyGems explained the situation this way in a Google doc that site administrators set up for status updates:

A user uploaded a malicious gem that contained a malicious gem manifest (YAML file). The manifest contained embedded Ruby with this payload. This is the only known incident involving this vulnerability, but the vulnerability involved is a remote code execution exploit, so the usual rules apply.

The Ruby programmer I talked to, who did not want to be identified since he works with some of the key engineers at RubyGems and Heroku, said that the infected gem was executed by the server and then “emailed the database configuration details, including passwords, to a paste-it note on Pastie.org.”

Ruby deploys have been temporarily disabled to protect our users from malicious gems. We will have more information available shortly, including a workaround for those who wish to deploy anyway.

Based on the information currently available, it doesn’t appear to have been an especially malicious attack, but rather a fairly strenuous way of informing the RubyGems organization that they had a vulnerability. The infected gem was called “exploit,” a pretty clear signal that the author or authors were not trying to slip something in unnoticed, and “they could have done more,” my source said.

Currently, RubyGems is verifying all files by comparing them for differences with older version before re-enabling all access to functionality. The last update as of 7:30 PM PST is that the service’s classic API is up, as well as its V1 API, but its web application and Dependency API are still down.

]]>0RubyGems.org hacked, interrupting Heroku services and putting sites using Rails at riskFind a computer bug, get threatened with jail, get expelled from collegehttp://venturebeat.com/2013/01/21/find-a-computer-bug-get-threatened-with-jail-get-expelled-from-college/
http://venturebeat.com/2013/01/21/find-a-computer-bug-get-threatened-with-jail-get-expelled-from-college/#commentsMon, 21 Jan 2013 19:50:31 +0000http://venturebeat.com/?p=607765One Canadian computer science student has discovered the three simple steps to ruining your life.
]]>One Canadian computer science student has discovered the three simple steps to ruining your life:

Find a bug that could reveal the personal information of 250,000 students

Report it to the proper authorities at his school, Dawson College in Montreal, Canada

But two days later, when Al-Khabaz decided to double-check whether a fix was in place, he was surprised by a phone call from Edouard Taza, the president of Skytech, the company that makes Omnivox. Al-Khabaz say that Taza accused him of implementing a “cyber-attack,” threatened him with jail, and forced him to sign a nondisclosure agreement.

But despite his cooperation with what some might say was an unreasonable and bullying approach, Al-Khabaz was expelled from college.

Calls to Donna Varrica and Carey-Ann Pawsey at the Dawson’s communications office go straight to voicemail, but the college has posted a statement on its website, standing by its decision and saying that Al-Khabaz had been warned on at least one occasion to “cease and desist.”

Dawson College stands by its policies regarding academic integrity and professional code of conduct. The provisions of these policies are clearly stated in the Institutional Student Evaluation Policy and the Code of Conduct on the website (listed below).

Under the terms of Quebec privacy laws, it is illegal to discuss the details of student files with individuals or with the media. Dawson College practices due process and due diligence in every case brought before the review committee. If a student does not agree with a decision, he or she has the right to appeal, as spelled out in the policies

In the recent case of Ahmed Al-Khabaz, which he himself brought to the media, the College stands by its decision. The reasons cited in the National Post article for which the student was expelled are inaccurate. The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct. Conditions for remaining in the College on good terms are clearly explained in person to the student.

When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student.

I have not been able to speak to Al-Khabaz yet, but based on the publicly available facts, Dawson College and Skytech — sounds suspiciously like Skynet, no? — should be thanking him and perhaps rewarding him.

VentureBeat has reached out to Edouard Taza, Skytech’s president, and will update if he responds.

]]>1Find a computer bug, get threatened with jail, get expelled from collegeConvicted hacker Stephen Watt on Aaron Swartz: ‘It’s just not justice’http://venturebeat.com/2013/01/17/convicted-hacker-steven-watt-on-aaron-swarzt-its-just-not-justice/
http://venturebeat.com/2013/01/17/convicted-hacker-steven-watt-on-aaron-swarzt-its-just-not-justice/#commentsThu, 17 Jan 2013 21:44:47 +0000http://venturebeat.com/?p=606515"Prosecutors do not acknowledge nuance," Watt told me today. "They turn everything into a very clear-cut moral issue, where everything is nicely packaged into a premeditated act."
]]>If convicted of the crimes for which U.S. Attorney Stephen Heymann was prosecuting him, Reddit co-founder Aaron Swartz could have gone to jail for 30-35 years. But it was probably the waiting, uncertainty, and personal attacks that did more damage, according to hacker and convicted felon Stephen Watt.

“Prosecutors do not acknowledge nuance,” Watt told me today. “They turn everything into a very clear-cut moral issue, where everything is nicely packaged into a premeditated act.”

Swartz, of course, downloaded almost 5 million academic articles from JSTOR, a nonprofit that provides access to academic journals. It was probably illegal, although JSTOR decided not to pursue legal action. Heymann did, however, and very aggressively. Swartz, who had a history of depression, committed suicide just five days ago.

“If you look at the sorts of cases that [Heymann] prosecutes, he does seem to very much enjoy being the first one to accomplish something in a legal sense,” Watt said. “He seems to push the envelope … and I have certainly heard the word ‘bully’ used to describe Heyman. It was a common label.”

Watt was convicted of helping a criminal group steal 40 million credit cards from TJX and various retailers after creating a data-sniffing software tool for his best friend. According to Watt, he wasn’t in the conspiracy and didn’t know exactly how his software would be used; he just shared it, as is common in the hacker/cracker community. And he didn’t receive any of the ill-gotten gains.

“I acknowledge I’m a much less sympathetic character, simply because of the company I kept,” says Watt, a fitness addict who now runs a sports supplement store but is still negotiating with his probation officer over whether he can use computers. “What I do know is that in both cases you have actions taken by the defendants which are not in any way criminal … and actions which are not overtly criminal need to precipitate a much more nuanced investigation, and a much more appropriate sentence.”

When it comes to Aaron Swartz’s case, Watt says that prosecutors used the same damage and punishment matrix they had used for him. Based on the number of files and the calculated damages, Swartz was facing half a lifetime in jail and a million-dollar fine.

“But if you look at Aaron’s history, any reasonable person would assume he was not going to sell this information … he wanted to free this information,” Watt told me. “And yet you have this insinuation that he might have wanted to profit from it.”

When Heymann spoke in court about Watt, he highlighted Watt’s supposed “sociopathic tendencies” by finding quotes from Mike Tyson and the movie Fight Club on Watt’s MySpace page, he told me, insinuating that Watt had created his data-sniffing code as part of an attempt to “bring down the end of the country’s financial institutions.” Then, in closing comments, Watt says that Heymann said that he was “not someone to feel sorry for,” had enjoyed a “privileged background,” and that “his parents had read to him as a child.”

That kind of take-no-prisoners prosecution, Watt feels, contributed to Swartz’s suicide. And it’s something that doesn’t advance the pursuit of justice.

“In both situations there was a very compelling case that nothing illegal had been done,” Watt said to me. “To face those sorts of overwhelming odds … it’s just not justice.”

Watt, who will be speaking about his experiences with the law in April at Infiltrate 2013 in Miami, says the waiting is the hardest part.

“When I think of the stress that Aaron was feeling … that was absolutely the most psychologically debilitating time of the process,” he says. “It’s worse than being behind bars: You’re in limbo, you’re unable to work, and you’re financially hamstrung.”

Jonathan James, one of the other hackers investigated in the TJX investigation for which Watt did time, committed suicide, leaving a note that said in part:

I have no faith in the ‘justice’ system. Perhaps my actions today, and this letter, will send a stronger message to the public. Either way, I have lost control over this situation, and this is my only way to regain control.

We should not destroy the lives of human beings for crimes against computer systems that harm no one and provide no benefit to the perpetrator. Such actions should be treated as forms of protest and civil disobedience. To prosecute these actions the same as rapes and murders is a savage abuse of the criminal justice system which continues to destroy the lives of peaceful, productive members of society.

]]>0Convicted hacker Stephen Watt on Aaron Swartz: ‘It’s just not justice’The maker movement isn’t just for hackers anymorehttp://venturebeat.com/2012/11/21/make-techshop/
http://venturebeat.com/2012/11/21/make-techshop/#commentsWed, 21 Nov 2012 17:00:26 +0000http://venturebeat.com/?p=548681The maker movement is in full effect. Step 1 was the hackerspaces of the 2000s. Step 2 is the DIY democracy at places like TechShop.
]]>

“I’ve always done a certain amount of work with my hands, but my whole career was in software.”

Rich Pekelney (pictured above) is standing in front of one of many mammoth machines in San Francisco’s TechShop, a DIY paradise full of industrial equipment for makers of all kinds.

The space is intimidating at first glance. Loud mechanisms tower and sprawl around the workshop’s several stories; people in welding masks and heavy protective gloves quietly bustle from one corner to another.

But after a few minutes in the shop, its aura of mystery quickly disappears. After all, people come here to learn, to weld, to screen print, to indulge their hobbies and acquire new skills. It’s a bit like a gym: Anyone can join as long as they want to do the work.

At TechShop’s San Francisco location, a $125 monthly membership fee gets you access to more than $1 million dollars of industrial-grade machinery, industry-standard design software for 2D and 3D projects, unlimited workshop hours, and coaching from experts in given techniques and materials. You can purchase additional classes for equipment or skills, and the pricing isn’t prohibitive. For example, you can get trained on working with sheet metal for $75 in a two-hour class.

Pekelney came here at first because, like so many other TechShop members, he needed to make something that couldn’t be bought. In this particular case, it was a perfect replica of a trashcan for use on a restored World War II submarine, the USS Pampanito.

“Twenty years ago, when I started working on [restoring] the ship, there were so many really talented guys who could make you anything you needed,” he said.

“Now, they’re gone. … They aged out or they moved out of the city. They’re 80, and they can’t see, or their hands shake.”

So Pekelney became part of the maker renaissance, a growing movement of women, men, and kids who want to make cool stuff. They come to places like TechShop for access to state-of-the-art equipment you’d be hard-pressed to find outside of a heavy industrial facility (as Pekelney tells me, “I would not be using a $15,000 machine if it weren’t for TechShop”); but they stay for the classes and the community.

And many of them end up doing more than learning a new skill; more and more, part-time tinkerers are turning their TechShop experiences into full-time, self-owned businesses.

“Oops, I started a business”

Today’s maker movement includes a huge range of arts, crafts, and fabrication, and at least as many fascinating types of humans. You’ve got the steampunk/Burning Man crowd who build robotic art cars to drive around the desert. You’ve got radical lesbian feminist knitters and quilters who are reclaiming the “feminine” arts. You’ve got kids young and old turning a deep Lego obsession into huge, intricate projects for display, and you’ve got even younger kids tinkering with mass-produced starter kits to nurture an early obsession with electronics. And you’ve got would-be entrepreneurs just trying to crank out a prototype for a product that might disrupt the market.

Accidental entrepreneurship, I learn during an extended TechShop tour, is a not uncommon outcome for folks who walk through its doors seeking to simply finish a one-off project. The lady behind Better Off Wed, an Etsy store of statement cake-toppers, first came to TechShop to do a single piece and ended making a business out of it. Another founder was doodling around with the shop’s laser cutter and ended up turning that into Yes & Yes Designs, a jewelry store.

There are dozens of stories like this from TechShop’s San Francisco store. The Bosavi headlamp came from a guy who walked into TechShop in September 2011 with no maker experience whatsoever. Now, he’s an inventor, entrepreneur, and TechShop instructor. A former ad copywriter sitting in the shop’s airy upper floor tells me that social media killed the advertising business; now, he makes and sells jewelry instead.

In fact, as maker advocate and Autodesk employee Jesse Harrington Au tells me during our tour, around 60 percent of TechShop members end up looking at starting their own businesses. Accidental entrepreneurship, he says, “happens more than I would have thought,” in no small part due to the fact that all kinds of makers, from sewers and designers and papercrafters to welders and carpenters and painters, under a single roof. The cross-pollination effects are huge.

Making’s roots

Dan Woods is a TechShop exec and was also part of another important cornerstone of the maker renaissance.

“When we co-founded Make, we thought we’d have maybe 10,000 people, old farts like us, from the ’60s,” he tells me as we meander through the shop’s panoply of machinery. “But there’s all these upstarts from Brooklyn with metal in their faces — and they get it.

“For some reason, it has become very trendy to express yourself physically,” says Woods, “and it is showing off.”

Woods has an aeronautics degree and used to work for Lockheed. I ask him point-blank what his job was. “I was helping pilots drop off — things — very accurately. … It was very cerebral.”

After that, Woods started working on Make with O’Reilly co-founder Dale Dougherty. At first a simple quarterly magazine, Make was first published in January 2005 as a way to explore and encourage DIY and DIWO (do it with others) culture. Dougherty originally envisioned the publication as “Martha Stewart for geeks.”

Maker Faire was born out of Make magazine. First held in San Mateo, Calif., it was billed as the world’s largest show-and-tell and included more than 100 exhibitors, DIY workshops for learning new skills, and competitions. Nowadays, the Faire has exploded into a chain of events around the world, drawing in makers and spectators by the tens of thousands.

At the very first Maker Faire, robotics instructor and MythBusters science advisor Jim Newton showed up at the San Mateo fairground in a huge Army truck looking for a place to park it. Realizing that Maker Faire was leaving enthusiasts with a warm glow but no outlet for future DIWO/DIY action, Newton decided that people needed a slice of Maker Faire all year ’round. He opened the doors of the first TechShop in late 2006, hoping that Maker Faire would be not just a show-and-tell but a gateway experience that would democratize making and hacking.

The birth of the hackerspace

Hacker spaces were a relatively new — or at least relatively unheard-of — idea in 2006. One of the first such spaces, c-base was founded in Berlin in 1995. Its primary focus was on hacking computer hardware and software, and it developed a large following and mythology around itself.

But the hackerspace revolution didn’t really take off until Metalab popped up in Vienna in 2006. The revolution in this case wasn’t the idea that hackers should hang out and hack together; rather, the revolution was around the mechanism that would make the whole enterprise work: money. As an open space for technical creatives, Metalab was funded from membership dues; the funds allowed the collective to rent a physical space, purchase materials, and hold events. This model proved to be an important catalyst for what followed.

Starting around 2006, the concept of hackerspaces experienced a small, underground explosion. In 2007, Bre Pettis and a handful of East Coast hackers started NYC Resistor, also with a membership-based model. Noisebridge, another leader in the scene, opened its doors in San Francisco in 2008.

Noisebridge was co-founded by Tor Project and Wikileaks hacker Jacob Appelbaum and hardware hacking legend Mitch Altman. “He’s a kind of Johnny Appleseed for hackerspaces,” says Woods. “But hackerspaces are for … people who are already comfortable with technology.”

While the hackerspace forefathers succeeded in bringing knowledge to noobs, first-time visitors to hackerspaces — non-nerdy consumers — can end up feeling more intimidated than welcomed.

Plus, these spaces tend to focus on the thrilling anarchy of hacking computer systems, whether bundles of circuits and storage or collections of data. There isn’t as much opportunity for, say, the guy who wants to weld a new consumer snowplow prototype or the lady who wants to screen-print a band T-shirt design.

A cleaned-up, commercial hackerspace for everyone else

As these Matrix-reminiscent spaces and groups popped up around the globe in the mid-2000s, the idea began to catch on with the less technically advanced, as well.

“You go to a job, sit at a computer, maybe you design things, but you never get to see it through,” said Harrington Au, pretty much summing up the mid-career ennui anyone over the age of 25 has experienced. Without the ability to see your work in its immediate, physically complete form, you can end up feeling less connected to it, less aware of its impact on others.

“There’s very little opportunity for those little successes,” he says.

And the little successes one experiences at TechShop might be nifty toys, one-off playthings made for one’s own amusement. But more often than not, the TechShop staff say the projects are immediately useful; they have a purpose in the real world and often fulfill a legitimate need in the marketplace.

That’s the kind of accidental entrepreneurship TechShop fosters. If these kinds of stories are any indicator of the organization’s future direction, it’s shaping up to be a casual incubator for the next generation of hardware and consumer goods companies.

Woods tells a great story about a Stanford undergrad student who was at TechShop working on a problem with polymers. The student expressed some frustration aloud about the particular problem; as fate would have it, a professor with 30 years of experience in polymers overheard him and offered help. The project is the Embrace Infant Warmer, a small, reusable sleeping bag for babies that keeps at-risk infants warm during medical emergencies. The project is funded by GE and was recognized at the annual Silicon Valley Tech Awards.

As we finish our tour in the textiles section of TechShop’s enormous warehouse, Woods waves his arm around the room, his gesture taking in the wildly diverse group of tinkerers intently bent over their projects.

“The most valuable thing is this,” he says. “It’s the members — their encouragement, their knowledge, their experience. … And they are dying to share what they know.”

Earlier today, I posted about AuthenTec, a recent Apple acquisition that has had some security issues with software it produced for Windows PCs. One of the company’s products, a biometric security package called Protector Suite, stored passwords insecurely.

The issue was highlighted by security company Elcomsoft on August 28, and rose to prominence again in the past few days when an open-source project enabling easy exploitation of the security hole was posted to Github. I noticed it yesterday on Ars Technica, and today contacted Apple for comment, as well as phoning Authentec directly.

Apple didn’t return either of my two calls, and when the person I talked to at Authentec told me only that the software was discontinued (I also left a message for a product manager, who did not return my voicemail) I wrote a story based on the facts I knew.

But a reader checked Authentec’s support site, which I had not seen, and discovered that a new download is available for Protector Suite. In fact, according to the information on the support site, it’s been available since September 18. And in the release notes is a direct response to the security issue: “Changed passport encryption implementation.”

So the software does appear to be patched.

Now, I’d appreciate it if AuthenTec had made that known on its corporate website, not just the support site. And there seems to be no direct link from AuthenTec’s corporate website to its support site. In addition … it’d be nice if Apple had returned my calls, or if the person at AuthenTec knew that the software had already been patched.

All that aside, however, the fact remains: the software had been patched, and I wrote a story saying it was not. So … I was just plain wrong.

As soon as I saw the note from our reader — you rock, by the way — I updated my original story with a note.

But I felt that an additional story needed to be written, because as I check Google News for “AuthenTec” or look at MacSurfer’s list of Apple security stories, all of the posts still say that Apple’s subsidiary still has unpatched, vulnerable software. And that’s simply not the case today, as far as I can tell. No-one seems to have picked up on the fact that our reader found.

In fact, according to what the reader subsequently sent me, the patch has been delivered to all affected computer manufacturers. (AuthenTec, Apple, please feel free to add any missing details.)

So the recorded needed to be set straight. I trust that it now is.

VentureBeat’s goal is accurate, timely information. So is mine. It’s not always easy or straightforward, and sometimes I screw up. When that happens, we do our best to make it right.

That’s a personal commitment, and I think I dare speak for everyone else at VentureBeat on that point as well.

iPhones hear the name “Charlie Miller” and run, Siri screaming out her mortal fear. Charlie Miller, the notorious Apple device hacker, is taking that fear and channeling it for the greater good of his newest employer, Twitter.

Yes, Twitter confirms to VentureBeat that the social site has hired the gray-hat security expert, who got his start working for the U.S. National Security Administration. At Twitter, Miller takes on the role of systems software engineer and reports to Moxie Marlinspike, the hacker who ran Android security shop Whisper Systems until Twitter acquired it last year.

After his five-year stint at the NSA, Miller went on to hack Apple products of all kinds and was the first hacker to find a critical bug in the MacBook Air. He also created a proof-of-concept app for hacking iPhones and iPads; the app got into the App Store, smudging a bit more egg on Apple’s face in the process.

Miller earned a Ph.D in mathematics from the University of Notre Dame. He’s working remotely from his home office in St. Louis, Missouri.

“It’s going to be bug genocide, my friend!” the hacker quipped on Twitter.

]]>0Twitter’s latest hire: Epic Apple hacker Charlie MillerHacker holds alleged Romney tax returns ransom for $1M in Bitcoinshttp://venturebeat.com/2012/09/05/romney-tax-returns-hacked/
http://venturebeat.com/2012/09/05/romney-tax-returns-hacked/#commentsWed, 05 Sep 2012 19:40:16 +0000http://venturebeat.com/?p=525881Ready for the most outlandish story of your morning? Here we go. Today, a hacker allegedly stole Mitt Romney's tax returns, is demanding $1 million in Bitcoins for silence, and sent a USB drive and letter to the GOP and Democratic party offices in Williamson County, Tennessee as proof.
]]>

Ready for the most outlandish story of your day? Here we go. Today a hacker allegedly stole Mitt Romney’s tax returns and is demanding $1 million in Bitcoins for silence. The hacker also sent a USB drive and letter to the Republican and Democratic party offices in Williamson County, Tenn. as proof.

Williamson County Republican party executive director Jean Barwick confirmed to VentureBeat that the U.S. Secret Service has taken the USB drive and letter from the GOP party office to examine it and see if this is a hoax or a real situation.

“We don’t know what this will turn into, if anything,” said Barwick in an interview with VentureBeat. “[The Secret Service] didn’t say what they would do with it.”

In a letter, the hacker says the records were stolen from PricewaterhouseCoopers in Franklin, Tenn.

PricewaterhouseCoopers PR managing director Chris Atkins told VentureBeat in an e-mail, “We are aware of the allegations that have been made regarding improper access to our systems. We are working closely with the United States Secret Service, and at this time there is no evidence that our systems have been compromised or that there was any unauthorized access to the data in question.”

… We were able to gain access to your network file servers and copy over the tax documents for one Willard M Romney and Ann D Romney. We are sure that once you figure out where the security breach was, some people will probably get fired but that is not our concern.

Barwick went on to tell me that the GOP office did not call the Secret Service but expects that news traveled through the U.S. Attorney’s Office, which prompted the confiscation. She also added that she doesn’t believe they are the only office that received a letter such as this, though she’s hearing conflicting stories.

In the letter, the hacker threatened the release of the tax returns to “all major news media outlets” if the Bitcoin ransom is not received (the hacker also politely suggested people should “Google it if you need a lesson on what Bitcoin is”). The person also set up a bit of a race for Romney: first to pay the sum will receive the goods.

Getting your data back might cost you big time. Same for not having “those pictures” spread all over the Internet. And that’s just one of the new attack vectors targeting Android phones in the past few months, according to security firm McAfee.

The attacks range from the traditional and fairly well known email-with-bogus-attachments to the downright Machiavellian: drive-by downloads. Similarly to desktop drive-bys, simply visiting a site initiates the attack.

Once they’re in, your data can be held hostage as “ransomware” threatens deletion — or publication — unless you pay up.

Users still need to authorize an install, but as McAfee says, “when an attacker names the file Android System Update 4.0.apk, most suspicions vanish.” That’s because it looks like an official update to the Android operating system.

In the past three months alone, McAfee has seen 2.7 million new websites on 300,000 new domains that are either infected or created specifically by malware authors to trap the unwary.

The big surprise in the huge increase on Android isn’t that Android is being attacked: Google’s smartphone platform has been a key focus for the bad guys for some time. The big surprise is that Google has not managed to stem the tide in any significant way.

Above: Mobile malware by platform … where’s iOS?

Image Credit: McAfee

Security concerns on Android should not be news to Google, and Google should be putting security at the top of its list of priorities. But Google’s Bouncer software, which is supposed to be protecting users by scanning apps on Google Play for any malicious code or behavior, often appears to be asleep at the switch and easily fooled.

]]>0Sorry, Google fanboys: Android security suffers as malware explodes by 700%Mini underwater sub raises $111K for amateur ocean explorationhttp://venturebeat.com/2012/08/12/mini-underwater-sub-raises-111k-for-amateur-ocean-exploration/
http://venturebeat.com/2012/08/12/mini-underwater-sub-raises-111k-for-amateur-ocean-exploration/#commentsSun, 12 Aug 2012 17:00:44 +0000http://venturebeat.com/?p=505508OpenROV, a mini submarine developed in a Silicon Valley garage, has been hailed by the world's media as the key to unlocking the earth's last frontier.
]]>

OpenROV, a mini submarine developed in a Silicon Valley garage, has been hailed by the world’s media as the key to unlocking the earth’s last frontier.

No pressure, or anything.

The 20-something creators, David Lang (pictured, above) and Eric Stackpole, did not anticipate that their open-source robot would infatuate the press or be viewed as the low-cost alternative to subs like the Deep Sea Challenger, which took filmmaker, James Cameron, to the deepest, darkest recesses of the western Pacific.

“At the outset, we thought this might be a great project to discover underwater caves that are too small for divers,” said Lang when I met up with him at open-access workshop TechShop in San Francisco, where he and Stackpole make their parts. “Our ideas for what we wanted to use it for were dwarfed by the community.”

Environmentalists and marine archeologists already say they plan to use OpenROV to discover shipwrecks in Cuba and spotlight pollution in the high seas. Treasure hunters can use the mini sub to look for gold in unchartered waters. In November, Stackpole will be headed to Antarctica as an under-ice pilot in a larger-scale, commercial grade ROV.

“We don’t want to be the wealthiest mini sub builders in the world,” said Lang. “Our goal is to have a high return on adventure.”

Above: TechShop, the site where Lang and Stackpole solder the submarine’s parts.

On popular crowdfunding platform Kickstarter, OpenROV took on a life of its own and far exceeded its funding goal by netting $111,622 from 484 backers.

Lang told me no one has used OpenROV to successfully discover any buried treasure in the ocean’s depths, yet.

The founders’ singular focus is to keep up with the demand for the kits. At TechShop, Lang and Stackpoke laser cut electronic material and plastic and hand-pack and mail the kits. Lang told me that the most common purchasers are tinkerers and hobbyists, who add their own flourishes like robotic arms, payload equipment, and additional cameras.

The TechShop chain is a recent addition to the Bay Area, and is a paradise for hardware geeks. For $100 per month, anyone can access high-tech equipment such as 3-D printers. Classes taught at one of the TechShop hacker spaces include Welding 101, and are available for a few extra dollars. At TechShop, Lang learned how to build robots and work with machines in less than six months.

Above: OpenRov, a mini submarine, can dive as deep as 100m.

The basic prototype has been through 35 iterations and is designed to be portable and cheap. At the basic level, its open-source, remotely operated robot that can be deployed underwater and navigated in 3D using a laptop.

The little robot is elegantly simple, but the real innovation is its inexpensive parts. OpenROV is available for $750, and anyone with a knack for DIY can use it to scale the depths of the ocean, as far as 100 meters.

But if you want an underwater robot of your own, you’ll need to be a dab hand with a soldering iron, as the robot is sold in a kit filled with parts.

To keep tabs on how the robot is being used, the pair launched a company blog and discussion forum. It is already proving to be a powerful tool for small-town environmentalists.

OpenROV can be fitted with video equipment to highlight the pile-up of junk in lakes and ponds. It can go in tiny crevices, where a diver can’t. One user plans to search for evidence of plastic pollution in the unchartered, murky depths of a seabed.

At TechShop, where Lang spends the bulk of his time, he tells me that these findings are the tip of the iceberg for OpenROV. “Our story is just the beginning,” said Lang, who animatedly points out a number of other cool projects that are in development.

“We do know that deep sea exploration, space exploration, drones, 3-D printing are now something that anyone can do,” he said.

]]>0Mini underwater sub raises $111K for amateur ocean explorationCheck out this phone-controlled robot from a Twilio/Node.js hackerhttp://venturebeat.com/2012/07/03/phonebot/
http://venturebeat.com/2012/07/03/phonebot/#commentsTue, 03 Jul 2012 18:50:04 +0000http://venturebeat.com/?p=484040An aspiring hardware hacker at Twilio has used his company’s own telephony APIs as well as Node.js and Arduino to build the charming robot you see in the clip above. We just about overloaded on developer buzzwords there, so let’s back it up a bit. The bot was built by Twilio developer evangelist Jonathan Gottfried, […]
]]>

An aspiring hardware hacker at Twilio has used his company’s own telephony APIs as well as Node.js and Arduino to build the charming robot you see in the clip above.

We just about overloaded on developer buzzwords there, so let’s back it up a bit.

The bot was built by Twilio developer evangelist Jonathan Gottfried, to whom we say, nice work, Jon! There’s no quicker way to developers’ hearts than showing them how to build and code a robot, and no better way to evangelize for your company’s software than by using it in said robot in an actually interesting way. Twilio overlords, give this man a raise!

“Robots have fascinated me for as long as I can remember,” writes Gottfried on the company blog. He then proceeds to go into great, and we mean great, detail on how the bot was made “using Twilio, Arduino, Node.js, and the RN-XV WiFly module.”

The result is a robot you can control from your phone’s keypad. The post includes step-by-step images and lots of code snippets.

You might be asking, “Why, why in heaven’s name, would anyone use Node for such a task?” The Hacker News army asked the same thing, to which Gottfried replied, “It was the easiest way I found to set up a simultaneous HTTP server and TCP socket to the bot.”

In the HN thread, Gottfried also said, “The hardest part for me was getting the Wi-Fi module to work,” and, “It’s pretty fun to play with, honestly. Hasn’t tried to kill me yet….”

]]>2Check out this phone-controlled robot from a Twilio/Node.js hackerThe rise of the hackhttp://venturebeat.com/2012/03/15/the-rise-of-the-hack/
http://venturebeat.com/2012/03/15/the-rise-of-the-hack/#commentsThu, 15 Mar 2012 18:09:01 +0000http://venturebeat.com/?p=403935Guest:I didn’t know it could be someone’s job to attend hackathons. I hadn’t heard of a developer evangelist before, so a year ago when I stumbled across an opportunity to become one, I was drawn by its novelty. The mission was to build a developer community from the bottom up by saturating the hackathon scene, […]
]]>GUEST:

I didn’t know it could be someone’s job to attend hackathons. I hadn’t heard of a developer evangelist before, so a year ago when I stumbled across an opportunity to become one, I was drawn by its novelty.

The mission was to build a developer community from the bottom up by saturating the hackathon scene, gaining allegiance from the early-adopters, the enthusiasts, the hackers. The kind of people who geek out over a new JavaScript library, smother their MacBook Airs with stickers, and maintain wardrobes consisting primarily of startup t-shirts.

If the goal is to build a business on an API, were hackathons the place to start? I wasn’t sure. The tactic seemed so niche. But hey, if someone wanted to pay me to travel and build weekend hacks, that sounded fun to me.

My first hackathon surprised me. I expected it to be quiet and secluded, consisting of the most die-hard geeks, an exclusive community disconnected from the outside world.

But it wasn’t. It was inviting. It was cool. It was a spot for anyone with an entrepreneurial itch to try something new, from bankers to artists to lawyers, all sprinkled amongst designers and developers of all skill levels.

I expected it to feel underground, but it didn’t. Microsoft and Amazon, among other high-profile sponsors, pitched their tools, platforms, and APIs to an eclectic group of would-be world-changers.

I realized after that first event that my weekend calendar was not going to be free for a while. There was no shortage of events to attend or companies wanting to throw sponsorship dollars at those events.

I travelled to hackathons in Dallas, Portland, Boulder, Chicago, Las Vegas, Seattle, DC, and Boston, among others. Every city I went, I asked them the same question: what’s the tech scene like here?

Every time I got the same response: It’s growing.

Everywhere I went, people told me that their tech community was thriving, that their city was going to be the next big tech hub. A year ago there was nothing. Now there were incubators, investors, meetups, and new hackathons popping up every month.

It quickly became clear to me that hackathons are not an outlandish trend, popular only among techies in Silicon Valley and NYC. They are a national phenomenon.

So I asked 150 hackathon attendees, hosts, and sponsors from across the country what they thought about the rise in hackathons. I found some interesting things:

Why they go: Learning (85 percent) and networking (81 percent) were the top two reasons, followed by changing the world (38 percent) and winning prizes (28 percent). More people are interested in the tech scene and want to learn to code but this community has many people who really have big, ofter altruistic visions. Hackathons offer newbies an environment to learn from experienced coders while building something tangible. Some of those hacks have turned into real businesses, like GroupMe, Launchrock, Zaarly, and Foodspotting.

APIs are a core strategy: 78 percent of event attendees said APIs are becoming an increasingly integral part of their business strategy. They attend hackathons to increase awareness (56 percent), partner with other cool brands with APIs (75 percent), and build a showcase of apps using their API (56 percent). Since hackers are driven to go to these events, hackathons are a good place to get in front of early adopters, get feedback, and gain enthusiasts for a new API.

Women are underrepresented: While this is true in many areas of the technology and startup worlds, it was interesting to note that only one in 10 attendees at hackathons are women.

So many hackathons: The combination of more people wanting to hack on new projects, and more companies wanting to get their APIs consumed has stimulated a surge in hackathons. The top three reasons why attendees believed there are more and more hackathons going on were: an increased awareness of APIs (46 percent); an increased general interest in tech (40 percent); and an increase in the number of hackers (39 percent).

It will be interesting to see if these findings change over time. Perhaps my company will run the survey again next year. But for now, we compiled our findings into a nice infographic to provide a bit of a peek into what really goes on at those hackathon events.

Jon Mumm is a developer evangelist for TokBox, a San Francisco-based startup that provides an API for live video chat. Follow his hackathon adventures on Twitter @jonmumm.

]]>0The rise of the hackGithub community in turmoil after hacker exposes massive security flawhttp://venturebeat.com/2012/03/05/github-community-in-turmoil-after-hacker-exposes-massive-security-flaw/
http://venturebeat.com/2012/03/05/github-community-in-turmoil-after-hacker-exposes-massive-security-flaw/#commentsMon, 05 Mar 2012 12:07:45 +0000http://venturebeat.com/?p=398872Github, the service that many professional programmers use to store their work and collaborate on coding, was hacked over the weekend. A young Russian named Egor Homakov showcased a loophole in Github that would allow anyone to commit to the master copy of a project, meaning they could alter or delete the source code. But when […]
]]>Github, the service that many professional programmers use to store their work and collaborate on coding, was hacked over the weekend. A young Russian named Egor Homakov showcased a loophole in Github that would allow anyone to commit to the master copy of a project, meaning they could alter or delete the source code. But when his account was suspended by Github, a furious argument broke among developers out about his intentions. Was he doing the community a service by exposing the flaw or taking things too far with a very public hack?

It seems that four days ago Homakov tried to alert the folks behind Rails, one of the most popular programming languages, and the one used to create Github itself, about the security flaw. There was some back and forth for a day, and eventually the powers that be decided to close the thread, writing that “There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.”

But Homakov was’t going to go down without a fight. Since he couldn’t get things fixed through the proper channels, he decided to use the exploit himself. He used the loophole to give himself access to Ruby on Rails code repository and left a message confirming that any project on Github was indeed vulnerable. He didn’t change any code or do anything malicious.

When Github saw what happened, they suspended Homakov’s account, which created a firestorm of protest. A blog post entitled, Github, You Have Let Us All Down shot to the top of Hacker News, the world’s biggest news board for programmers. Github users threatened to pack up their projects and head to alternative services, claiming they felt vulnerable to hackers and betrayed by the response.

In the end, Github restored Homakov’s account and issued a public apology. It was a reminder that Github, which has become the defacto platform for collaborative coding, needs to take security very seriously. Software engineers often use their Github accounts as resumes when applying for jobs, so they have to feel their work is safe from tampering.

It was also an example of when the wisdom of the crowd got things wrong. Github exemplifies the benefits of open, collaboration. In this case, though, the wisdom of the crowds got things wrong, and it took a single contrarian, willing to work by any means to necessary, to show the community the danger they were in.

]]>0Github community in turmoil after hacker exposes massive security flawThe “world’s most wanted hacker,” Kevin Mitnick, has gone straight (interview)http://venturebeat.com/2011/10/21/interview-with-the-former-worlds-most-wanted-hacker-kevin-mitnick/
http://venturebeat.com/2011/10/21/interview-with-the-former-worlds-most-wanted-hacker-kevin-mitnick/#commentsFri, 21 Oct 2011 20:00:10 +0000http://venturebeat.com/?p=338525Kevin Mitnick was once labeled the world’s most wanted hacker. Back in 1992, he tangled with a mystery hacker named Eric, setting off a duel that led to a chain of events that spun out of control. After a FBI manhunt, he was caught in 1995 with the help of security expert Tsutomu Shimomura, who […]
]]>Kevin Mitnick was once labeled the world’s most wanted hacker. Back in 1992, he tangled with a mystery hacker named Eric, setting off a duel that led to a chain of events that spun out of control.

After a FBI manhunt, he was caught in 1995 with the help of security expert Tsutomu Shimomura, who wrote about the experience with New York Times writer John Markoff. Mitnick spent five years in jail, including eight months in solitary confinement.

At first, Mitnick wasn’t allowed to tell his side of the story, thanks to a gag order. Now he has penned a book on about his life on the run, co-written with author William L. Simon. Called “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,” the title has stayed on the New York Times Bestseller list for several weeks.

After getting out of prison, Mitnick pulled his life together as a “white hat” hacker, or one who helps companies by testing the security of their networks via Mitnick Security Consulting. Now he frequently talks about how to protect yourself from wily cyber attacks.

VB:Hi Kevin. We’ve talked before when you published your books, The Art of Intrusion and The Art of Deception. At the time, you had a gag order that did not allow you to write about your arrest and the events leading up to it. Now that it has expired, you’ve revisited those memories. Why?

KM: I had a deal with the government for about, for seven years after I was released from custody. So it expired around Jan. 21, 2007. After that, we decided to work on my memoir, Ghost in The Wires. That was finally published on August 15. The other two books mentioned my life on the run, but they were really about the lessons I learned with social engineering and how organizations could mitigate the risk of falling victim to it. That book was The Art of Deception. Art of Intrusion was really kind of just talking about the stories of other hackers that were in the news and some where the perpetrators were never identified.

So what I like about the best of all these three is my life story Ghost in The Wires because it’s kind of like a Catch Me If You Can version for a computer hacker. What is unique about it that it is a true story. People really seem to like it.

VB:Yeah I noticed you tweeted about how it’s still on the New York Times online bestseller list.

KM: Well this week it was 23 last week it was 12 the week before that it was 15, the week before that it was 16. So I have been on the New York Times best seller list a month so far.

VB:Congratulations. Why do people want to read it?

KM: Thank you so much. I never expected it but I guess it’s a great story and it’s written very well. So people are interested in it and I guess I’m the cyber version of Frank Abagnale.

VB:It’s probably only fair since there were other bestsellers that were written about you.

KM: As far as I am aware, the only hacking book that made the bestseller list was a book called The Cuckoo’s Egg by Cliff Stoll. The Takedown book never made it to the list and in fact it was a very poorly reviewed book.

VB:Did you ever figure out why the government had such an unusual gag order in place here because that seems pretty rare?

KM: Well one of the things was they wanted to profit off my story and they wanted to keep everything under a protect order meaning that I was essentially forbidden to talk about it. So I had to be very careful because there is still stuff that is still under protective order that I couldn’t reveal. And so I had to be very careful to still tread around that restriction. The seven-year restriction was to prevent me from earning any revenue from my free public expression. They learned that from cases like the (murderer) Son of Sam.

So they had to do it that way because there are laws that are usually applied to violent crime cases to prevent people from profiting by telling the story. But it’s a prior restraint on free speech, so the Supreme Court has since struck down those laws. That was how the federal government dealt with it back then. It was part of the plea agreement.

VB: So what really drove you to write this new book after the gag order lifted and you were free?

KM: To get the story out. It wasn’t really about making money. I mean I make money from my security business and my public speaking career because I go around in the world doing a lot of public speeches, keynoting at conferences. I make plenty of money doing that. So it wasn’t really about the money it was about getting my side of the story out. I thought it was a great story to tell that people would enjoy it. And I want to really to focus on the chase because my story is kind of a cat-and-mouse game with the federal government.

Continue Reading ...]]>0The “world’s most wanted hacker,” Kevin Mitnick, has gone straight (interview)Hacking water meters is easier than it should behttp://venturebeat.com/2011/08/06/hacking-water-meters-is-easier-than-it-should-be/
http://venturebeat.com/2011/08/06/hacking-water-meters-is-easier-than-it-should-be/#commentsSun, 07 Aug 2011 00:04:55 +0000http://venturebeat.com/?p=317058The smarter water meters become, the easier they’re getting to hack. Like many things in electronics, water meters become easier for hackers to break into and misuse when they are upgraded to include wireless and computer technology. John McNabb, a security expert who has focused on protecting drinking water, told the audience at the Defcon […]
]]>The smarter water meters become, the easier they’re getting to hack. Like many things in electronics, water meters become easier for hackers to break into and misuse when they are upgraded to include wireless and computer technology.

John McNabb, a security expert who has focused on protecting drinking water, told the audience at the Defcon hacker conference in Las Vegas today that, despite a $40 billion-dollar water economy, it’s still far too easy to hack into water meters used by utilities around the country. He concluded that nation’s 150,000 water utilities have a number of well-known vulnerabilities to cyber attacks and they should fix them on behalf of the 250 million consumers they serve.

“The energy theft when it comes to water theft is billions of dollars a year,” McNabb (pictured) said. “Electric utilites assume they use about 10 percent losses to theft each year. Water could be similar, and it winds up increasing the rates for others.”

Lots of water meters are still mechanical devices. Water companies lose revenue when those meters get old and sediment builds up in them so that they measure lower water usage. Utilities have started to put in wireless water meters that are easier to read and less costly. For instance, some meters broadcast a wireless signal so that a meter reader can simply drive by, detect the signal, and record it electronically. That reduces the cost of reading meters. Here’s McNabb’s white paper on the topic.

Adding computer technology throughout the infrastructure helps bring down costs. It’s easier for utilities to monitor usage on any given day and send bills more frequently. They can also detect water leaks more precisely, based on water usage patterns throughout the population. Water meters with wireless attachements can become sensors for the utility and two-way communications systems. Utilities can also resolve billing disputes better, provide more customer service, enforce water conservation, and identify illegal water connections.

Smart water meters are the new thing. The smart water meter market is expected to total $4.2 billion between 2010 and 2016, according to market researcher Pike Research. And Pike predicts that the worldwide installed base of smart water meters will increase from 5.2 million in 2009 to 31.8 million by 2016. The market researcher defines a smart meter as a component of a smart grid, with two-way communications between the meter and the water utility that allows the utility to get readings on an hourly (or more frequently) basis and issue commands to the meter. California in particular is racing ahead in deployment, and 25 manufacturers are making the smart meters now.

“It’s like an electronic cash register for the utility,” McNabb said. “But it could also be a tool for Big Brother,” a reference to the totalitarian figurehead of George Orwell’s novel, 1984.

The problem with the wireless water meters is that they are vulnerable because of the wireless medium they use. Communications are not encrypted (largely due to higher costs) and so they are easily intercepted, faked or even jammed. The sensors are unattended and hang on the meter, outside the house, and so they are easily tampered with. The cyber attacks against them can be active, where commands are issued to them, or passive, where the data is taken.

If people want to reduce their water bills, they could hack the sensors. They could also increase the bill paid by a neighbor they don’t like, or evade restrictions on the amount of water used. And since the usage of water indicates the presence or absence of the homeowner, the hacked water meters can be used for surveillance purposes.

Last year, Greek hacker Thanassis Giannetsos demonstrated how it was possible to introduce a worm to the smart electrical grid (similar to water grids) on a simulated network. Ioactive, a security penetration testing firm, also did something similar. But McNabb said that the concern about Big Brother is also a big one. He said that the water department’s staff could learn what time of day you take a shower, when you are at home, and when you’re on vacation.

“Are we being paranoid?” McNabb asked. “It’s already established that law enforcement is using electricity use and thermal imaging,” where the heat generated by indoor marijuana-growing farms has been measured.

McNabb also noted that the Hydrosense device created by researchers at the University of Washington in Seattle can be attached to water faucets to determine the usage coming out of a particular fixture in the home.

McNabb said his research showed that vendors don’t use frequency hopping spread spectrum (FHSS), which could stop eavesdropping on wireless signals, or encryption with their smart meters. One utility used a default password system which used a generic password on its web site (where users would log in and view their water usage) that was easily hacked. Transceivers for sending commands to the water meters can be purchased on eBay.

But some manufacturers are starting to build 128-bit encryption and spread spectrum security into their meters. McNabb, who was an elected water commission and managed a small water system for 13 years, described the vulnerabilities in some detail, including how to inexpensively “sniff” the wireless water meter readings, and has described them in a white paper. He said he will put it online in the near future.

Sniffing wireless water meters should’t be too difficult, he said, but there are some technical hurdles. Most U.S. meters broadcast in the 900 megahertz band of the wireless spectrum. That is the same frequency as cell phones, and there aren’t any off-the-shelf devices to sniff packets from them. Also, most of them scramble the signal by using spread spectrum, which sends out part of the message on one frequency, the next part on another, and so forth. However, other researchers have shown how to unscramble the spread spectrum code, so McNabb plans to build a device to sniff the 900 megahertz spread spectrum signals to show how it can be done and why it needs to be more secure.